nicosabena
commented
4 years ago This is the right behavior, actually. What the SDK is doing is expected for any OIDC/OAuth2 client: making sure that the response and its ID token match an authentication request initiated by the app from the same browser.
While Auth0 tries to make a direct SAML-to-OIDC protocol translation, the reality is that OIDC does not have the concept of IdP-initiated flows, and thus any good OIDC SDK that makes the proper validations will reject the response (this is briefly explained at https://auth0.com/docs/protocols/saml/idp-initiated-sso#on-idp-initiated-flows-and-openid-connect)
An alternative flow, if the SAML identity provider supports it, would be to link to your app's login endpoint directly (many idps now support this). The panel in the IdP would link to something like https://yourapp.com/login, where your app can initiate the authentication (and then the flow would work fine).
You can add a query string parameter in the request to your app's login endpoint (e.g. https://yourapp.com/login?connection=connection_name) so that the IdP can identity themselves. Your app, in turn, should use the connection parameter when redirecting to Auth0's authorize endpoint (e.g. https://login.molecule.io/authorize?[...]&connection=the_connection_name). By including the connection name in the authorization request Auth0 can send the user directly to the identity provider (without showing the Auth0 hosted login page) and thus the user will get a single sign on.
edwinthinks
Description
When a session is initiated from an IdP, for e.g. configured like an Okta app, the callback phase with
codetype seem to be failing inverify_nonce.Reproduction
codeverify_noncein callbackEnvironment
masterbranch